Find the domain controller (logon server) that you have , Certified for

Sometimes you may want to find out which domain controller your computer is authenticated with (your Logon Server) This can come in handy when there are problems with enforcing group policies or when users complain about slow logon. A user’s computer may be authenticated to the wrong domain controller if the nearest DC is not available, a firewall is blocking access to it, Active Directory sites or subnets are incorrectly configured, or problems with DNS. Huh. As a result, a user can get all the GPO settings, scripts etc from any other DC instead of the nearest DC. This can result in slow GPO processing, slow software deployment, etc.

How to identify which DC a computer is authenticated to?

You can locate the domain controller you’re logged into by using a few methods:

If you logged on to a computer using your local account, your computer name will be shown instead of the domain controller name LogonServer variable.

If you know the domain controller, you can retrieve user information from the logon DC security log (for example, the user’s logon history for the domain and other logs).

You can automatically type information into the computer details in Active Directory about which domain controller the user is authenticated to. So, you can quickly get LogonServer to a specific computer from AD without access to a computer on the network or locally.

How does Windows find the nearest Domain Controller?

netlogon The service is responsible for discovering LogonServer while Windows is booting. The service should be running:

get-service netlogon

Netlogon Service in Windows Used for DC Discovery

In a simple way, the process of finding a domain controller by a Windows client looks like this:

  1. NetLogon sends DNS query to get list of domain controllers (SVR _ldap._tcp.dc._msdcs.domain_ ) on Windows boot;
  2. Returns a list of DCs in the DNS domain;
  3. The client sends an LDAP query to the DC to obtain the AD site from its IP address;
  4. Returns the AD site matching the DC client’s IP or the nearest site (this information is cached in the registry: HKLM\System\CurrentControlSet\Services\Netlogon\Parameters and used at next logon for faster search);
  5. The client requests a list of domain controllers on the target site via DNS _ tcp.sitename._sites.., _msdcs and _ldap are used in Microsoft dns for DC logon server discovery
  6. Windows AD sends requests to all DCs on the site and the one that responds first is used as the logonserver to perform authentication.
You can switch your computer to another logon server (AD domain controller) manually with the command:


nltest - Change logon server in Windows

Trusted DC Name \\
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

If the specified DC is not available, an error will appear:

I_NetLogonControl failed: Status = 1311 0x51f ERROR_NO_LOGON_SERVERS

If none of the domain controllers are available or the computer is disconnected from the network, the following message appears when the user logs on:

There are currently no logon servers available to service the logon request.

You can only log on to such a computer by using the domain user’s cached credentials.

You can locate the nearest domain controller by site hierarchy, subnet, and weight using the Get-ADDomainController cmdlet from the Active Directory for PowerShell module:

Get-ADDomainController -Discover -NextClosestSite

This will allow you to find the name of the domain controller through which the computer should authenticate. If it’s different than the current one, you’ll have to troubleshoot it.

Leave a Comment